Re: Imagemagick policy

To: tech-pkg%netbsd.org@localhost
Subject: Re: Imagemagick policy
From: Tim Zingelman <tez%netbsd.org@localhost>
Date: Thu, 19 Oct 2023 12:54:12 -0500

I'm a security person, so I really do not agree with insecure-by-default, even if it is the upstream policy/opinion.

The patch we have was added by the pkgsrc security team to address a published issue.

Please don't use the open config as default.

ImageMagick is installed as a dependency for other packages too, including several that are clearly intended to be network services.

Maybe I am not the typical pkgsrc user, but I don't think I have ever installed it on a single user machine.

Thanks,

- Tim

On Thu, Oct 19, 2023 at 10:13 AM Thomas Klausner <wiz%gatalith.at@localhost> wrote:

On Thu, Oct 19, 2023 at 10:44:11AM -0400, Greg Troxel wrote:
> It seems obvious (hah!) that the security policy should be controlled by
> something in etc as a config file, so that it survives updates. If not,
> that would be great to fix.

It already is a config file, even now.
Thomas

Follow-Ups:
- Re: Imagemagick policy
  - From: Dr. Thomas Orgis

References:
- Imagemagick policy
  - From: Thomas Klausner
- Re: Imagemagick policy
  - From: Greg Troxel
- Re: Imagemagick policy
  - From: Thomas Klausner

Prev by Date: HP UX 11.31 Variable OS_VERSION is recursive
Next by Date: Re: Sysutils/consul
Previous by Thread: Re: Imagemagick policy
Next by Thread: Re: Imagemagick policy
Indexes:

Home | Main Index | Thread Index | Old Index